b'      Department of Homeland Security\n\n\n\n\n\n      Information Technology Management Letter for the\n      Citizenship and Immigration Services Component of\n        the FY 2012 Department of Homeland Security\n                   Financial Statement Audit\n\n\n\n\nOIG-13-81                                        April 2013\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n\n\xc2\xa0                                  April 24, 2013\n\xc2\xa0\nMEMORANDUM\xc2\xa0FOR:\xc2\xa0\xc2\xa0             Mark\xc2\xa0Schwartz\xc2\xa0\n                              Chief\xc2\xa0Information\xc2\xa0Officer\xc2\xa0\n\xc2\xa0                            \xc2\xa0U.S.\xc2\xa0Citizenship\xc2\xa0and\xc2\xa0Immigration\xc2\xa0Services\xc2\xa0\n\xc2\xa0\n                              Joseph\xc2\xa0Moore\xc2\xa0\n                              Chief\xc2\xa0Financial\xc2\xa0Officer\xc2\xa0\n\xc2\xa0                            \xc2\xa0U.S.\xc2\xa0Citizenship\xc2\xa0and\xc2\xa0Immigration\xc2\xa0Services\xc2\xa0\n\xc2\xa0\nFROM:\xc2\xa0                       Frank\xc2\xa0Deffer\xc2\xa0\n                             Assistant\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n                             Office\xc2\xa0of\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Audits\xc2\xa0\n\xc2\xa0\nSUBJECT:\xc2\xa0                    Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0Letter\xc2\xa0for\xc2\xa0the\xc2\xa0\n                             Citizenship\xc2\xa0and\xc2\xa0Immigration\xc2\xa0Services\xc2\xa0Component\xc2\xa0of\xc2\xa0the\xc2\xa0FY\xc2\xa0\n                             2012\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0\n                             Statement\xc2\xa0Audit\xc2\xa0\n\xc2\xa0\nAttached\xc2\xa0for\xc2\xa0your\xc2\xa0action\xc2\xa0is\xc2\xa0our\xc2\xa0final\xc2\xa0report,\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0Letter\xc2\xa0\nfor\xc2\xa0the\xc2\xa0Citizenship\xc2\xa0and\xc2\xa0Immigration\xc2\xa0Services\xc2\xa0Component\xc2\xa0of\xc2\xa0the\xc2\xa0FY\xc2\xa02012\xc2\xa0Department\xc2\xa0of\xc2\xa0\nHomeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0Statement\xc2\xa0Audit.\xc2\xa0\xc2\xa0The\xc2\xa0independent\xc2\xa0accounting\xc2\xa0firm\xc2\xa0KPMG\xc2\xa0\nLLP\xc2\xa0(KPMG)\xc2\xa0performed\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0(DHS)\xc2\xa0financial\xc2\xa0statement\xc2\xa0\naudit\xc2\xa0as\xc2\xa0of\xc2\xa0September\xc2\xa030,\xc2\xa02012,\xc2\xa0and\xc2\xa0prepared\xc2\xa0this\xc2\xa0information\xc2\xa0technology\xc2\xa0(IT)\xc2\xa0\nmanagement\xc2\xa0letter.\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0\nKPMG\xc2\xa0is\xc2\xa0responsible\xc2\xa0for\xc2\xa0the\xc2\xa0attached\xc2\xa0IT\xc2\xa0management\xc2\xa0letter\xc2\xa0dated\xc2\xa0December\xc2\xa020,\xc2\xa02012,\xc2\xa0\nand\xc2\xa0the\xc2\xa0conclusion\xc2\xa0expressed\xc2\xa0in\xc2\xa0it.\xc2\xa0\xc2\xa0We\xc2\xa0do\xc2\xa0not\xc2\xa0express\xc2\xa0an\xc2\xa0opinion\xc2\xa0on\xc2\xa0DHS\xe2\x80\x99\xc2\xa0financial\xc2\xa0\nstatements\xc2\xa0or\xc2\xa0internal\xc2\xa0controls\xc2\xa0or\xc2\xa0conclusions\xc2\xa0on\xc2\xa0compliance\xc2\xa0with\xc2\xa0laws\xc2\xa0and\xc2\xa0regulations.\xc2\xa0\xc2\xa0\nThe\xc2\xa0DHS\xc2\xa0management\xc2\xa0concurred\xc2\xa0with\xc2\xa0all\xc2\xa0recommendations.\xc2\xa0\n\xc2\xa0\nConsistent\xc2\xa0with\xc2\xa0our\xc2\xa0responsibility\xc2\xa0under\xc2\xa0the\xc2\xa0Inspector\xc2\xa0General\xc2\xa0Act,\xc2\xa0we\xc2\xa0are\xc2\xa0providing\xc2\xa0\ncopies\xc2\xa0of\xc2\xa0our\xc2\xa0report\xc2\xa0to\xc2\xa0appropriate\xc2\xa0congressional\xc2\xa0committees\xc2\xa0with\xc2\xa0oversight\xc2\xa0and\xc2\xa0\nappropriation\xc2\xa0responsibility\xc2\xa0over\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security.\xc2\xa0\xc2\xa0We\xc2\xa0will\xc2\xa0post\xc2\xa0\nthe\xc2\xa0report\xc2\xa0on\xc2\xa0our\xc2\xa0website\xc2\xa0for\xc2\xa0public\xc2\xa0dissemination.\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0\nPlease\xc2\xa0call\xc2\xa0me\xc2\xa0with\xc2\xa0any\xc2\xa0questions,\xc2\xa0or\xc2\xa0your\xc2\xa0staff\xc2\xa0may\xc2\xa0contact\xc2\xa0Sharon\xc2\xa0Huiswoud,\xc2\xa0Director,\xc2\xa0\nInformation\xc2\xa0Systems\xc2\xa0Audit\xc2\xa0Division,\xc2\xa0at\xc2\xa0(202)\xc2\xa0254\xe2\x80\x905451.\xc2\xa0\n\xc2\xa0\nAttachment\xc2\xa0\n\xc2\xa0\n\x0c                                 KPMG LLP\n                                 Suite 12000\n                                 1801 K Street, NW\n                                 Washington, DC 20006\n\n\n\n\nApril 4, 2013\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nU.S. Citizenship and Immigration Services\n\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2012, and the related statements of net cost, changes in net\nposition, and custodial activity, and combined statement of budgetary resources for the year then\nended (referred to as the \xe2\x80\x9cfiscal year (FY) 2012 financial statements\xe2\x80\x9d). We were also engaged to\naudit the Department\xe2\x80\x99s internal control over financial reporting of the FY 2012 financial\nstatements. The objective of our audit engagement was to express an opinion on the fair\npresentation of the FY 2012 financial statements and the effectiveness of internal control over\nfinancial reporting of the FY 2012 financial statements.\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 14, 2012, included internal control deficiencies identified during our audit\nengagement that, in aggregate, represented a material weakness in information technology (IT)\ncontrols and financial system functionality at the DHS Department-wide level. This letter\nrepresents the separate limited distribution report mentioned in that report, of matters related to\nU.S. Citizenship and Immigration Services (USCIS).\nDuring our audit engagement, we noted certain matters in the areas of access controls,\nconfiguration management, security management, and segregation of duties with respect to\nUSCIS\xe2\x80\x99 financial systems general IT controls (GITC) which we believe contribute to a DHS\nDepartment-wide material weakness in IT controls and financial system functionality. These\nmatters are described in the General IT Control Findings and Recommendations section of this\nletter.\nThe comments described herein have been discussed with the appropriate members of\nmanagement, or communicated through Notices of Findings and Recommendations (NFRs), and\nare intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to\nyou. We have not considered internal control since the date of our Independent Auditors\xe2\x80\x99\nReport.\nThe Table of Contents on the next page identifies each section of the letter. We have provided\na description of key USCIS financial systems and IT infrastructure within the scope of the FY\n2012 DHS financial statement audit engagement in Appendix A; a description of each internal\ncontrol finding in Appendix B; and the current status of prior year NFRs in Appendix C. Our\ncomments related to financial management and reporting internal controls (comments not related\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cto IT) have been presented in a separate letter to the Office of Inspector General (OIG) and the\nDHS Chief Financial Officer.\nThis report is intended solely for the information and use of DHS management, DHS OIG, U.S.\nOffice of Management and Budget (OMB), U.S. Government Accountability Office (GAO), and\nthe U.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\nVery truly yours,\n\x0c                                  Department of Homeland Security\n\n                         United States Citizenship and Immigration Services\n\n                              Information Technology Management Letter\n                                         September 30, 2012\n\n                       INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                             TABLE OF CONTENTS\n\n                                                                                           Page\n\nObjective, Scope, and Approach                                                              1\n\nSummary of Findings and Recommendations                                                     2\n\nGeneral IT Control Findings and Recommendations                                             3\n\n   Findings                                                                                 3\n\n       Configuration Management                                                             3\n\n       Access Controls                                                                      3\n\n       Segregation of Duties                                                                3\n\n       Security Management                                                                  3\n\n              After \xe2\x80\x93 Hours Physical Security Testing                                       4\n\n              Social Engineering Testing                                                    4\n\n   Recommendations                                                                          5\n\n       Configuration Management                                                             5\n\n       Access Controls                                                                      5\n\n       Segregation of Duties                                                                5\n\n       Security Management                                                                  6\n\nApplication Controls                                                                        6\n\n\n\n                                            APPENDICES\n\nAppendix                                         Subject                                   Page\n\n           Description of Key USCIS Financial Systems and IT Infrastructure within the\n   A                                                                                        7\n           Scope of the FY 2012 DHS Financial Statement Audit\n\n   B       FY 2012 Notices of IT Findings and Recommendations at USCIS                     10\n\n           Status of Prior Year Notices of Findings and Recommendations and Comparison \n\n   C                                                                                       13\n           to Current Year Notices of Findings and Recommendations at USCIS\n\n\n\n\n    Information Technology Management Letter for the Citizenship and Immigration Services\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\x0c                                  Department of Homeland Security\n\n                         United States Citizenship and Immigration Services\n\n                              Information Technology Management Letter\n                                         September 30, 2012\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\nIn connection with our financial statement audit of DHS as of and for the year ended September 30, 2012,\nwe performed an evaluation of the general Information Technology (IT) controls (GITCs) at USCIS to\nassist in planning and performing our audit. The DHS Immigration and Customs Enforcement (ICE)\nhosts a key financial application for USCIS. As such, our audit procedures over GITCs for USCIS\nincluded testing of ICE\xe2\x80\x99s Federal Financial Management System (FFMS) policies, procedures, and\npractices, as well as USCIS policies, procedures and practices at USCIS\xe2\x80\x99 Headquarters.\n\nFederal Information System Control Audit Manual (FISCAM) was designed to inform financial statement\nauditors about IT controls and related audit concerns to assist them in planning their audit work and to\nintegrate the work of auditors with other aspects of the financial statement audit. FISCAM also provides\nguidance to auditors when considering the scope and extent of review that generally should be performed\nwhen evaluating GITCs and the IT environment of a Federal agency. FISCAM defines the following five\ncontrol functions to be essential to the effective operation of GITCs and the IT environment.\n\n\xe2\x80\xa2\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\n\xe2\x80\xa2\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\n\xe2\x80\xa2\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provides reasonable assurance\n   that systems are configured and operating securely and as intended.\n\n\xe2\x80\xa2\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\n\xe2\x80\xa2\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our GITC audit procedures, we assessed corrective actions implemented to address prior\nyear findings over technical security testing for key network and system devices and key financial\napplication controls in the ICE environment. In addition, we enhanced our GITC scope to include\nadditional vulnerability testing at USCIS.\n\n\n\n\n    Information Technology Management Letter for the Citizenship and Immigration Services\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                                 Page 1\n\x0c                                   Department of Homeland Security\n\n                          United States Citizenship and Immigration Services\n\n                               Information Technology Management Letter\n                                          September 30, 2012\n\n                   SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2012, USCIS initiated corrective action plans to address some prior year IT control\ndeficiencies. As a result, improvement was made in the area of effective password configurations over\ntwo financial systems. In addition, we continued to identify GITC deficiencies that could potentially\nimpact USCIS\xe2\x80\x99s financial data. The most significant findings were related to the FFMS configuration and\npatch management, and deficiencies in security awareness. Collectively, the IT control deficiencies\nlimited USCIS\xe2\x80\x99s ability to ensure that critical financial and operational data were maintained in such a\nmanner to ensure confidentiality, integrity, and availability. In addition, these control deficiencies\nnegatively impacted the internal controls over USCIS\xe2\x80\x99 financial reporting and its operations and we\nconsider them to contribute to a material weakness at the Department level under standards established by\nthe American Institute of Certified Public Accountants. In addition, based upon the results of our test\nwork, we noted that ICE contributes to the DHS\xe2\x80\x99 noncompliance with the requirements of the Federal\nFinancial Management Improvement Act of 1996.\n\nOf the 19 findings identified during our FY 2012 testing, eight were new IT findings. These findings\nrepresent control deficiencies in four of the five FISCAM key control areas: configuration management,\naccess controls, segregation of duties, and security management. Specifically, these control deficiencies\ninclude:\n\n    1.\t A lack of audit logging within the financial applications;\n    2.\t Security management issues involving staff security training and exit processing procedure\n        weaknesses;\n    3.\t Inadequately designed and operating configuration management; and\n    4.\t The lack of effective segregation of duties controls within the network and a financial application.\n\nThese control deficiencies may increase the risk that the confidentiality, integrity, and availability of\nsystem controls and USCIS financial data could be exploited thereby compromising the integrity of\nfinancial data used by management as reported in DHS\xe2\x80\x99 consolidated financial statements.\n\nWhile the recommendations made by us should be considered by USCIS, it is the ultimate responsibility\nof USCIS management to determine the most appropriate method(s) for addressing the weaknesses\nidentified.\n\n\n\n\n     Information Technology Management Letter for the Citizenship and Immigration Services\n\n      Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                                   Page 2\n\x0c                                  Department of Homeland Security\n\n                         United States Citizenship and Immigration Services\n\n                              Information Technology Management Letter\n                                         September 30, 2012\n\n            GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\n\nDuring our engagement to audit the FY 2012 DHS financial statements, we identified the following\nUSCIS GITC control deficiencies that in the aggregate contribute to the IT material weakness at the\nDepartment level.\n\nConfiguration Management\n\n\xe2\x80\xa2\t Security configuration management over FFMS included several configuration and patch\n   management weaknesses with the configuration of the FFMS Oracle databases, FFMS servers, and\n   Cisco routers and switches.\n\nAccess Controls\n\n\xe2\x80\xa2\t The following account management control deficiencies over CIS1, CLAIMS 3 Local Area Network\n   (LAN), and CLAIMS 4:\n       Lack of recertification of CLAIMS 3 LAN/CLAIMS 4 system users and CIS 1 network\n       administrators.\n       User access is not documented and maintained for CLAIMS 4.\n       Temporary users for the CIS1 network did not obtain supervisory approval. \n\n       Lack of policies and procedures for separated CLAIMS 3 LAN user accounts.\n\n\xe2\x80\xa2\t Lack of processes in place for sanitization of equipment and media.\n\xe2\x80\xa2\t Audit logs are not captured for CLAIMS 4. However, audit logs are captured for CLAIMS 3 LAN;\n   yet, USCIS has not implemented a process to review the logs on a periodic basis.\n\xe2\x80\xa2\t Visitor access to the Vermont Service Center (VSC) was not appropriately controlled.\n\nSegregation of Duties\n\n\xe2\x80\xa2\t CIS1 network administrator access privileges were not appropriately segregated. Thirty-nine\n   administrators retained access to one or more administrator access groups, which is not required to\n   perform administrator job functions.\n\xe2\x80\xa2\t Segregation of duties controls over CLAIMS 3 LAN user roles has not been established.\n\nSecurity Management\n\n\xe2\x80\xa2\t Procedures for transferred/terminated personnel exit processing have not been fully implemented.\n\xe2\x80\xa2\t Lack of Computer Security Awareness Training compliance.\n\xe2\x80\xa2\t Role-based IT Security training is not monitored.\n\n\n    Information Technology Management Letter for the Citizenship and Immigration Services\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                                 Page 3\n\x0c                                  Department of Homeland Security\n\n                         United States Citizenship and Immigration Services\n\n                              Information Technology Management Letter\n                                         September 30, 2012\n\n\xe2\x80\xa2\t Two financial systems failed to obtain Authority to Operate (ATO) for several quarters of the fiscal\n   year:\n        Sixteen high risk vulnerabilities were identified in CLAIMS 4.\n        Forty-two high risk vulnerabilities were identified in CLAIMS 3 LAN.\n\nAfter-Hours Physical Security Testing:\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of IT\nsecurity. These non-technical IT security aspects included physical access to media and equipment that\nhoused financial data and information residing within an USCIS employee\xe2\x80\x99s or contractor\xe2\x80\x99s work area,\nwhich could be used by others to gain unauthorized access to systems housing financial information. The\ntesting was performed at the USCIS headquarters location that processes and/or maintains financial data.\nThe specific results are listed as shown in the following table:\n\n                                                Exceptions Noted at 111         Exceptions Noted at 111\nExceptions Noted                                Mass. Ave \xe2\x80\x93 Lower Level          Mass. Ave \xe2\x80\x93 5th Floor\nPasswords                                                   21                             21\nFor Official Use Only                                        3                             12\nKeys                                                         5                              3\nPersonally Identifiable Information                          8                              8\nUnlocked Laptop                                              1                              4\nServer Names/IP Addresses                                    2                              5\nCredit Cards                                                 3                              1\nTotal Exceptions at USCIS                                   43                             54\n\nAdditionally, KPMG was able to access the facility by providing an expired non- DHS government badge\nto the security guard.\n\nSocial Engineering Testing:\n\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into taking\naction that is inconsistent with DHS policies, such as divulging sensitive information or allowing/\nenabling computer system access. The term typically applies to deception for the purpose of information\ngathering, or gaining computer system access, as shown in the following table:\n\n Total Called     Total Answered      Number of people who provided a username and/or password\n  45              15                  3 \xe2\x80\x93 Both User Name and Password\n\n\n\n\n    Information Technology Management Letter for the Citizenship and Immigration Services\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                                  Page 4\n\n\x0c                                  Department of Homeland Security\n\n                         United States Citizenship and Immigration Services\n\n                              Information Technology Management Letter\n                                         September 30, 2012\n\nRecommendations:\n\nWe recommend that the USCIS Chief Information Officer (CIO) and Chief Financial Officer (CFO), in\ncoordination with the DHS Office of Chief Financial Officer (OCFO) and the DHS Office of the Chief\nInformation Officer (OCIO), make the following improvements to USCIS\xe2\x80\x99s financial management\nsystems and associated information technology security program.\n\nConfiguration Management\n\nUnless specifically noted where USCIS needs to take specific corrective action, we recommend that the\nUSCIS CIO and CFO, in coordination with the ICE OCFO and the ICE OCIO, make the following\nimprovements to ICE\xe2\x80\x99s information technology:\n\n\xe2\x80\xa2\t Examine the default configuration installations and system services installed on FFMS network\n   devices and remove unnecessary system services.\n\xe2\x80\xa2\t Ensure that password configuration settings are properly and effectively applied.\n\xe2\x80\xa2\t Assess the patch deployment and testing processes and develop a process for patching applications\n   across the enterprise.\n\xe2\x80\xa2\t Implement appropriate FFMS database and network server patches and configuration baseline\n   parameters consistent with DHS guidelines.\n\nWe recommend that USCIS:\n\n\xe2\x80\xa2\t Monitor the ICE Mission Action Plan for the FFMS vulnerabilities that impact USCIS operations.\n\nAccess Controls\n\n\xe2\x80\xa2\t Develop, approve, and implement access control policies and procedures to ensure that CLAIMS 3\n   LAN, CIS 1 and CLAIMS 4 system administrator and user accounts are documented, approved, and\n   recertified annually.\n\xe2\x80\xa2\t Develop, approve, and implement access control policies and procedures to ensure that management\n   of equipment and media is in accordance with National Institute of Standards and Technology\n   guidance.\n\xe2\x80\xa2\t Ensure that access is removed for separated CLAIMS 3 LAN accounts upon departure from the\n   agency.\n\xe2\x80\xa2\t Finalize the audit and accountability policy and procedures which enforce regular review of system\n   activity logs.\n\xe2\x80\xa2\t Update VSC physical security policies and procedures to stipulate the requirements of visitor entry to\n   sensitive facilities.\n\nSegregation of Duties\n\n\xe2\x80\xa2\t Complete the account recertification process on CIS1 system/domain administrator accounts.\n\n    Information Technology Management Letter for the Citizenship and Immigration Services\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                                 Page 5\n\x0c                                  Department of Homeland Security\n\n                         United States Citizenship and Immigration Services\n\n                              Information Technology Management Letter\n                                         September 30, 2012\n\n\xe2\x80\xa2\t Develop, authorize, and implement procedures and operations manuals for CLAIMS 3 LAN\n   segregation of duties.\n\nSecurity Management\n\n\xe2\x80\xa2\t Monitor the implementation plan to assure the exit clearance procedures have been implemented for\n   Federal employees and contractors.\n\xe2\x80\xa2\t Finalize the implementation of the Information Security Training Program and ensure all USCIS\n   employees receive information security training commensurate to their job duties and in compliance\n   with Federal regulations.\n\xe2\x80\xa2\t Develop and enforce policies and procedures to ensure that staffs are complying with information,\n   physical, and privacy security policies.\n\nUSCIS obtained an ATO for CLAIMS 3 LAN in March 2012 and CLAIMS 4 in July 2012. Therefore, no\nrecommendation will be provided for the ATO weaknesses.\n\n\n                                  APPLICATION CONTROLS\n\nAs a result of the GITC control deficiencies noted above, manual compensating controls were tested in\nplace of application controls.\n\n\n\n\n    Information Technology Management Letter for the Citizenship and Immigration Services\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                                Page 6\n\x0c                                                                                Appendix A\n                             Department of Homeland Security\n\n                    United States Citizenship and Immigration Services\n\n                         Information Technology Management Letter\n                                    September 30, 2012\n\n\n\n\n                                    Appendix A\nDescription of Key USCIS Financial Systems and IT Infrastructure\n within the Scope of the FY 2012 DHS Financial Statement Audit\n\n\n\n\n  Information Technology Management Letter for the Citizenship and Immigration Services\n\n   Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                         Page 7\n\x0c                                                                                            Appendix A\n                                  Department of Homeland Security\n                         United States Citizenship and Immigration Services\n                              Information Technology Management Letter\n                                         September 30, 2012\n\nBelow is a description of significant USCIS financial management systems and supporting IT\ninfrastructure included in the scope of the USCIS component of the DHS FY 2012 financial statement\naudit.\n\nCLAIMS 3 Local Area Network (LAN)\n\nCLAIMS 3 LAN provides USCIS with a decentralized, geographically dispersed LAN based mission\nsupport case management system, with participation in the centralized CLAIMS 3 mainframe data\nrepository. CLAIMS 3 LAN supports the requirements of the Direct Mail Phase I and II, Immigration\nAct of 1990 (IMMACT 90) and USCIS forms improvement projects. The CLAIMS 3 LAN is located at\nthe following service centers and district offices: Nebraska, California, Texas, Vermont, Baltimore\nDistrict Office, National Business Center, and Administrative Appeals Office. CLAIMS 3 LAN\ninterfaces with the following systems:\n\xe2\x80\xa2   Citizenship and Immigration Services Centralized Oracle Repository\n\xe2\x80\xa2   CLAIMS 3 Mainframe\n\xe2\x80\xa2   Integrated Card Production System\n\xe2\x80\xa2   CLAIMS 4\n\xe2\x80\xa2   E-filing\n\xe2\x80\xa2   Benefits Biometric Support System\n\xe2\x80\xa2   Refugee, Asylum, and Parole System\n\xe2\x80\xa2   National File Tracking System\n\xe2\x80\xa2   Integrated Card Production System\n\xe2\x80\xa2   Customer Relationship Interface System\n\xe2\x80\xa2   USCIS Enterprise Service Bus\n\nCLAIMS 4\n\nThe purpose of CLAIMS 4 is to track and manage naturalization applications. Claims 4 is a client/server\napplication. The central Oracle Database is located in Washington, DC while application servers and\nclient components are located throughout USCIS service centers and district offices. CLAIMS 4\ninterfaces with the following systems:\n\xe2\x80\xa2   Central Index System (CIS)\n\xe2\x80\xa2   Reengineered Naturalization Automated Casework System\n\xe2\x80\xa2   CLAIMS 3 LAN and Mainframe\n\xe2\x80\xa2   Refugee, Asylum, and Parole System\n\xe2\x80\xa2   Enterprise Performance Analysis System\n\xe2\x80\xa2   National File Tracking System\n\xe2\x80\xa2   Asylum Pre-Screening System\n     Information Technology Management Letter for the Citizenship and Immigration Services\n\n      Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                                Page 8\n\x0c                                                                                             Appendix A\n                                   Department of Homeland Security\n\n                          United States Citizenship and Immigration Services\n\n                               Information Technology Management Letter\n                                          September 30, 2012\n\n\xe2\x80\xa2   USCIS Enterprise Service Bus\n\xe2\x80\xa2   Biometrics Benefits Support System\n\xe2\x80\xa2   Enterprise Citizenship and Immigration Service Centralized Operational Repository\n\xe2\x80\xa2   Customer Relationship Interface System\n\xe2\x80\xa2   FD 258 Enterprise Edition and Mainframe\n\xe2\x80\xa2   Site Profile System\n\nFederal Financial Management System (FFMS)\n\nThe FFMS is a CFO designated financial system and certified software application that conforms to OMB\nCircular A-127 and implements the use of a Standard General Ledger for the accounting of agency\nfinancial transactions. It is used to create and maintain a record of each allocation, commitment,\nobligation, travel advance and accounts receivable issued. It is the system of record for the agency and\nsupports all internal and external reporting requirements. FFMS is a commercial off-the-shelf financial\nreporting system. It includes the core system used by accountants, FFMS Desktop that is used by average\nusers, and a National Finance Center payroll interface. The FFMS mainframe component and 14 servers\nare hosted at the DHS DC2 facility located in Virginia. FFMS currently interfaces with Treasury, BMIS\nWeb, and FedTraveler.\n\nCIS1 Network\n\nThe USCIS network, also known as CIS1, is the Active Directory Domain Services Platform used within\nthe USCIS that contains all of USCIS\xe2\x80\x99s Active Directory and Exchange resources. CIS1 is a part of the\nEnterprise Infrastructure Services accreditation boundary and all Active Directory information, including\nthe Active Directory database itself, is hosted on specified servers called Domain Controllers. These 52\nActive Directory Domain Controllers are located throughout the country, with the majority of them being\nlocated in Virginia and Nebraska.\n\n\n\n\n    Information Technology Management Letter for the Citizenship and Immigration Services\n\n     Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                                 Page 9\n\x0c                                                                               Appendix B\n                            Department of Homeland Security\n\n                   United States Citizenship and Immigration Services\n\n                        Information Technology Management Letter\n                                   September 30, 2012\n\n\n\n\n                                   Appendix B\n\nFY 2012 Notices of IT Findings and Recommendations at USCIS\n\n\n\n\n\n Information Technology Management Letter for the Citizenship and Immigration Services\n\n  Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                        Page 10\n\x0c                                                                                                                         Appendix B\n                                                   Department of Homeland Security\n                                          United States Citizenship and Immigration Services\n                                               Information Technology Management Letter\n                                                          September 30, 2012\n\nFY 2012 NFR #                              NFR Title                               FISCAM Control Area       New Issue   Repeat Issue\n CIS-IT-12-01   Policies and Procedures for CLAIMS 3 LAN and CLAIMS 4                 Access Controls                         X\n                Audit Logs\n CIS-IT-12-02   Inadequate Access Request Forms for CLAIMS 4 System Users             Access Controls                         X\n CIS-IT-12-03   Weak Logical Access Controls exist over CLAIMS 4                      Access Controls                         X\n CIS-IT-12-04   Security Awareness Issues Identified during After-Hours             Security Management         X\n                Walkthrough\n CIS-IT-12-05   Lack of Segregation of Duties for CLAIMS 3 LAN                        Access Controls                         X\n CIS-IT-12-06   Periodic User Access Reviews are not Performed for CLAIMS 3           Access Controls                         X\n                LAN Users\n CIS-IT-12-07   FFMS Vulnerability Weaknesses Impact USCIS Operations             Configuration Management                    X\n CIS-IT-12-08   Security Awareness Issues were Identified during Social             Security Management         X\n                Engineering\n CIS-IT-12-09   Procedures for Transferred/Terminated Personnel Exit Processing       Access Controls                         X\n                are not Finalized\n CIS-IT-12-10   Lack of Policies and Procedures for Separated CLAIMS 3 LAN            Access Controls                         X\n                Accounts\n CIS-IT-12-11   Equipment and Media Policies and Procedures are not Current           Access Controls                         X\n\n\n CIS-IT-12-12   Lack of Computer Security Awareness Training Compliance             Security Management                       X\n CIS-IT-12-13   Lack Role-Based Training for Key Security Personnel                 Security Management                       X\n CIS-IT-12-14   Lack of ATO for CLAIMS 3 LAN                                        Security Management         X\n CIS-IT-12-15   Lack of ATO for CLAIMS 4                                            Security Management         X\n CIS-IT-12-16   Lack of Segregation of Duties Controls Exist over CIS 1             Segregation of Duties       X\n CIS-IT-12-17   Visitor Access Controls are Inadequate at the VSC                     Access Controls           X\n\nInformation Technology Management Letter for the Citizenship and Immigration Services Component of the FY 2012 Department of\n\n                                       Homeland Security Financial Statement Audit\n\n\n                                                                    Page 11\n\n\x0c                                                                                                                   Appendix B\n                                                   Department of Homeland Security\n                                          United States Citizenship and Immigration Services\n                                               Information Technology Management Letter\n                                                          September 30, 2012\n\nFY 2012 NFR #                              NFR Title                            FISCAM Control Area   New Issue    Repeat Issue\n CIS-IT-12-18   Inadequate CIS 1 Access Request Forms for Temporary Users          Access Controls       X\n CIS-IT-12-19   Incomplete Recertification for CIS 1 Network Administrators        Access Controls       X\n\n\n\n\nInformation Technology Management Letter for the Citizenship and Immigration Services Component of the FY 2012 Department of\n\n                                       Homeland Security Financial Statement Audit\n\n\n                                                                   Page 12\n\n\x0c                                                                                Appendix C\n                             Department of Homeland Security\n\n                    United States Citizenship and Immigration Services\n\n                         Information Technology Management Letter\n                                    September 30, 2012\n\n\n\n\n                                    Appendix C\n\nStatus of Prior Year Notices of Findings and Recommendations and \n\n       Comparison to Current Year Notices of Findings and\n\n                   Recommendations at USCIS\n\n\n\n\n\n  Information Technology Management Letter for the Citizenship and Immigration Services\n\n   Component of the FY 2012 Department of Homeland Security Financial Statement Audit\n\n\n                                         Page 13\n\n\x0c                                                                                                                                   Appendix C\n                                                   Department of Homeland Security\n                                          United States Citizenship and Immigration Services\n                                               Information Technology Management Letter\n                                                          September 30, 2012\n\n                                                                                                                     Disposition\n       NFR #                                                 Description\n                                                                                                            Closed                 Repeat\n    CIS-IT-11-01        Equipment and media policies and procedures are not current                                                  X\n    CIS-IT-11-02        Weak password configuration controls for CLAIMS 4                                     X\n    CIS-IT-11-03        Policies and procedures for CLAIMS 3 LAN and CLAIMS 4 audit logs                                             X\n    CIS-IT-11-04        Policies and procedures for separated CLAIMS 3 LAN accounts                                                  X\n    CIS-IT-11-05        Periodic user access reviews are not performed for CLAIMS 3 LAN users                                        X\n    CIS-IT-11-06        Procedures for transferred/terminated personnel exit processing are not finalized                            X\n                        Incomplete or inadequate access request forms for CLAIMS 3 LAN and CLAIMS 4\n    CIS-IT-11-07                                                                                                                     X\n                        system users\n                        ICE resource server and inadequate patch management weaknesses impact USCIS\n    CIS-IT-11-08                                                                                              X\n                        operations\n    CIS-IT-11-09        Weak password configuration controls for CLAIMS 3 LAN                                 X\n    CIS-IT-11-10        Weak logical access controls exist over CLAIMS 4                                                             X\n    CIS-IT-11-11        Ineffective safeguards over physical access to sensitive facilities and resources     X\n    CIS-IT-11-12        VPN access request forms are not properly maintained                                  X\n    CIS-IT-11-13        Lack of Segregation of Duties for CLAIMS 3 LAN                                                               X\n    CIS-IT-11-14        ADEX access request forms are not properly maintained                                 X\n    CIS-IT-11-15        Lack of Computer Security Awareness Training Compliance                                                      X\n    CIS-IT-11-16        Lack role-based training for key security personnel                                                          X\n    CIS-IT-11-17        FFMS Vulnerability Weaknesses effect USCIS Operations                                                        X\n\n\n\n\nInformation Technology Management Letter for the Citizenship and Immigration Services Component of the FY 2012 Department of\n\n                                       Homeland Security Financial Statement Audit\n\n\n                                                                    Page 14\n\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n\n   Appendix A\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Under Secretary for Management\n   Chief Financial Officer\n   Chief Information Officer\n   Chief Information Security Officer\n   Acting Chief Privacy Officer\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                                                            OIG-13-81\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'